oss-sec mailing list archives
Re: CVE request for vulnerability in OpenStack Keystone
From: cve-assign () mitre org
Date: Tue, 17 May 2016 15:48:18 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass By rescoping a token a user will receive a new token without correct audit_ids, these incorrect audit_ids will prevent the entire chain of tokens from being revoked properly. This vulnerability does not impact revoking a token by its individual audit_id. Only deployments with Keystone configured to use Fernet tokens are impacted. https://launchpad.net/bugs/1577558
caused token rescoping to not work because audit ids were never pulled from the original token.
Use CVE-2016-4911. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXO3T9AAoJEHb/MwWLVhi2vmEP/iC2MvbKll1QM0MxSqXkfJTz lr771a5N2oPmfxz35nTu38BjcTXVMp0e0VO/9ZmqD0eoXaG6p8K64IcDP/tJkL1f kIyf8EQEj0g0T8RkcV1J/cGkzd5sRT3EvxH6BJe7UPnW2NXcqO6j+LRY7R5ZFb2y 0iRRQx9HgqijRA8J+WN1tgaRDKeC5zv84rrNi/h0u7669Ps4tAJuaEvRNCMbRahI MHXTvreTs6UMr8iqL8K1wFfNSVaBoS9ep3t31dr/ZLH0piAxHVzINSNyiqAUbGps L2mkxY9XoI7AcgZh3C2iw5VD1A86BGEv3vuuSNK8/VOSPoovNaTtcErV25ria6cd qtH6HQH1S4ibMLI7PDYXf09DwOa6Kbc1IyEKus4S8XSXbUutV9j3l1UaH+3psQcO jLH2dD2pvVHznFaIrryz0jl/oKb/mPOcgQAFYelOSpwBle3GQdrqO9oBMIji8LIg B+rLWs5RbeUPYyucXkRrQTU3pn3e0Rt+zxZ8Wpd/P2Yjkp+wNtcacscgqVdk/Njn e/NaGYYRq/ReD9ES7xkYXkElMP8EO4RDZJhgcvtNODIQYvhPAU1gk06riE5QWk3Y tZI6Sseir0KpqH3VjAHdAx/nBoAQJh7JdCYv+Xp0ffAPOEWAixfjXsF0emkJvSzg CMj8C4b8j1qylWAbaTQz =9W3o -----END PGP SIGNATURE-----
Current thread:
- CVE request for vulnerability in OpenStack Keystone morgan fainberg (May 17)
- Re: CVE request for vulnerability in OpenStack Keystone cve-assign (May 17)